Is there a better way than zebra stripesI would've loved to see double striped also included in the table as well as some timing data (I'd think that plain tables would particularly lead to much longer answering times). Still very cool research.

May28

comment

Why do door knobs still exist?I've seen the two cats of my friends open doors by jumping up and catching the handle - it got that bad that they now have to lock their front door all the time to avoid the cats getting out. So yep bad usability can be an advantage. On the other hand seeing a cat hang on a door handle is entertainment for hours.

How to prevent users using your app while driving?And a "professional carpenter" should know better than to get his fingers into a buzz saw, but it still happens and we have protection for that now. A "professional programmer" should never dereference a null pointer, but it still happens every day and we have now languages that catch that behavior and don't result in undefined behavior. And.. well I could go on until the end of all day, why this is handwaving. Heck never read about all those aviation and nuclear accidents that were caused by professionals due to bad design? Humans are imperfect, accept it and design for it.

May22

comment

How to prevent users using your app while driving?It depends solely on the app. If this is for example an app used by cab drivers (well those privatized taxi services) there would be no use case at all where a passenger would ever need to use the app. In such a case making it impossible to use it while driving would have saved at least one life in the last few months - and that's just the one case that was in the media and I saw..

Allowing every password of 6+ characters. Good practice?Hmm bloomfilters would have to take care of the usual trivial replacements (e->3) and other canonicalizations beforehand but yes should work. 10kb of data seems quite big anyhow, that should allow you to store the ~2k most used words without any compression to begin with. You'd need different bloomfilters for all different grammar groups though for grammatical analysis to work. Here's the paper btw.

Apr22

comment

Allowing every password of 6+ characters. Good practice?I'll see if I can find the paper (MIT I think?) where people created rules for popular tools to crack those kind of passwords. That would be a good starting point, not sure how complicated an implementation of this would be (and you'd need an annotated dictionary.. mhm). Tempting to write an algorithm that takes that into account actually.

Apr22

comment

Allowing every password of 6+ characters. Good practice?If it were 4 randomly chosen dictionary words you'd be absolutely right. The problem arises from the fact that it's an grammatically correct sentence (and just trivial replacements), which constrains the search space immensely. And yes you can teach a computer those rules. Although I think most popular tools don't have them built-in so far.

Apr21

comment

Allowing every password of 6+ characters. Good practice?@R. Rereading it, you're absolutely right, some parts of my answer were purely in my head. My comment was only about length alone can be good enough as security requirement not about the "xkcd method". Should I delete the comment to not confuse other people or would that be in bad taste to hide "evidence" after being called out on it?

Apr21

comment

Allowing every password of 6+ characters. Good practice?The plugin doesn't seem to take dictionary attacks together with grammatical analysis into account. 'mX/%S" (7 random printable ASCII characters) is definitely stronger than What a n1c3 day. despite the second one being more than double the size.

Apr21

comment

Allowing every password of 6+ characters. Good practice?There was a paper that showed that if you actually use a grammatically correct english sentence the search space is small enough that you can crack sentences with 20 letters (or something like that). So it's not that clear cut. But in practice probably still better than what your usual user would pick otherwise.

Apr14

comment

What is the best way to inspire users to choose strong password?This is horrible advice all around. The 2 "problems" given (users may leave a note on their desk or may let their browser/pw manager save them) are extremely good ideas! #1: If an attacker has physical access to your machine you have lost whatever you do, even if you use truecrypt on your whole HDD and secure boot. #2: A virus/trojan that can read the browser's pw file already has to be elevated (assuming the permissions/ACLs are correctly set; you'd hope so in any case) which means it's game over anyhow. "mycat81" would probably be cracked by any modern hardware in a few hours tops.